Introduction: more than tinfoil hats
Congratulations! If you’re reading this, you are part of the lucky few that understand they need to care about cybersecurity risk management. You would think I am being sarcastic. I am not. According to recent reports, one in three companies do not have a written information security policy, and 67% of CIOs don’t consider cyber security to be a major issue. And even when they do write a policy, only 49% of companies do security risk management. What this means is: by reading this, you are already getting an edge over half of the companies, and, statistically, half of your competitors. Before you know what, your cyber-security risks are, you have to know there are cyber-security risks. And it seems you understand this.
The point of all this is: Cybersecurity Risk Management doesn’t necessarily mean bad news forecasting. You can do way more than protecting yourself with this! When the security risks are assessed and mapped correctly, and work jointly with production, development cycles can be more efficient, shorter, some insurances cheaper, and, of course, you will be more prepared to get back to work after a security breach happens, if you mapped your risks correctly. In an increasing number of sectors (banking and insurances being among the first) assess the risks can even increase your margins, or allow you to gain new markets, giving you an edge over competitors! Long story short: Risk management is more than announcing the Apocalypse and wearing tinfoil hats. It can be a differentiating factor for your startup.
In this post, I will quickly get you started on how to manage risks, by focusing on the mindset recommended to assess risks, and the most common method to manage them: the CIAP method.
Key elements of a good risk assessment paradigm
This part focuses on the main risk for your company: your security paradigm. You would be surprised as to what a good mindset can achieve regarding security.
Optimism: Information Security, as said, is too often seen as a burden, when it could be seen as a helping hand. This is the first and main component of a good Information Security paradigm: be positive about security! Here are some ways to consider how YOU can make the best of the risk management policy you are making or about to make:
- Since Snowden’s revelations, people are becoming more and more concerned about privacy. Customers will expect their data to be secured. Risk management enables trust. And the trust of your customers is worth a lot more than what you would save by going full ostrich and ignoring the elephant in the room.
- Managing your risks will also tell you what markets you could also target. In nearly every country now, risk assessment and management is a requirement to work for healthcare services.
- And my personal favorite: you could even copy-and-paste part of your code from security handbooks! If for example, you realize you use weak cryptography, you could quickly solve the problem by taking free, plug-and-play cryptographic functions implementations that are available online: the well-known OpenSSL could be such an example. Begone, countless hours of development!
It can seem obvious, but again, the numbers are staggering: 77% of respondents to a 2015 survey of businesses say that they do not trust their company’s security plan. Talk about it, try to take this subject as an occasion to make even better products.
Be happy! Your time spent thinking about what could go wrong makes your company a better place.
Proactivity: Now that you are aware of all the good things risk management can do to you, don’t let your security issues take the fight to you. Take the fight to them! The benefits it yields are countless:
- By thinking ahead, you will get a keen eye for security flaws, and you will start to think as a cyber criminal. This will eventually lead you to better design choices.
- Mapping and managing your risks ahead will also make people meet and talk on the subject. Security will stop being a taboo, or an unrealistic concern. This will have another interesting effect: you will inadvertently start a security awareness training for your employees, by making them think about what is at risk.
Proactivity on the risk management will be rewarding. Integrate Risk Management and security services to your projects lifecycles since the beginning, their advice on design could surprise you! Make sure your staff is exposed to security issues.
Pragmatism and Realism: Don’t let yourself be fooled by what’s at stake: a well-informed, cold-blooded approach to Information Security is the best way to make sure you won’t spend too much.
Take your risk management process as an accounting one: You have depreciation for fixed assets, does this mean you are paranoid about what you have? Information Security cost can be seen, in a way, as “Information Maintenance” following the same idea.
First, make sure you know what you have in your company: map what assets you have, what your processes are, and keep an eye on this inventory: as your company grows, so must the inventory.
Then, make sure you follow a method to classify and learn the risks. Be realistic, start small. Don’t spend money to defend yourself against state-sponsored actors using stealthy viruses, and exploiting advanced “zero-day” vulnerabilities, when your team members click on every attached file they receive, with an out-of-date anti-virus software. The method we will discuss next will help you locate the risks, but before we get to it, remember that realism is always the main component of any policy: if a strict and restrictive policy gets in the way of the production, it will seldom be enforced or worked around. If a policy is not clear, it will be ignored. Get people to collaborate on the policy. Or, even better get people to enjoy secure environments.
By being Optimistic on what risk management could bring, Proactive by making sure your risk map is up-to-date, and Pragmatic by mapping and knowing what is at risk (we will get to this), you will be able not only to get a good risk management policy, but a culture of security throughout your company.
The CIA Method
The most common way to map and know your risks is the CIAP Method: to explain it simply, consider every connection, inside or to your network, as a contract:
- You don’t want your competitors to know what is in your contracts: you want Confidentiality.
- You don’t want anyone to modify the content of your contract (for example, the price agreed upon) without your consent: you want Integrity.
- If you negotiate a contract with the same customer as before, you may want to know what you agreed upon last time. More broadly, you want to know what is in your contract at any given moment: you want Availability.
The method also adds another part to consider (even if people stop at C, I, A): If your contract gets disclosed, destroyed, or maliciously modified, you may want a Proof that this happened, for insurance purposes, for example.
There you have it: the method is named upon its four main components: Confidentiality, Integrity, Availability, (sometimes Proof)
Start with the mapping you made previously, or make one. Do not hesitate to get some help: security consulting is here for a reason. Split your startup into all its assets and relationships: database, servers, or even third-party contractors! Then, evaluate your needs based upon the three (or four) aspects of the method. I will give you in the example the assets and relationships that are often taken into account but do not forget that this list is not the final list you will have: every startup is different, every risk map is different.
Customer Database (SQL servers for example), web servers (HTTP servers for example), resources for internal use (it could be a cloud-based data sharing platform for example), HR database, standard computers (with their accounts), test, pre-production, and production environments (as a whole), sub-contractors.
Then, create a threat map for each asset, to answer the question: what do I need to be sure of for this asset?
For example, take your website: Confidentiality failure is not a threat here, as the information displayed is public. Integrity and Availability, however, are extremely important here, as you don’t want your main entrance page to be unavailable or to display, say, untasteful/hateful speech.
In your HR, or customer services’ servers or workstations, however, things are different: you don’t want any information to leak. Confidentiality breach could be costly, because of the potential lawsuits, or the loss of credibility. But if the customers’ billing can take place the day after, it does not really matter if your server is unreachable today… as long as you don’t lose any information. Availability is less important than Confidentiality in this case, but Integrity is still paramount. For every case, there is a special threat map.
To help you build this, let us focus on each component, as they are broader than they seem:
Confidentiality is the inability for unauthorized information to leak. This means more than cryptography! A forgetful employee losing their access card and giving away a physical access to private reports that were on a desk can be a Confidentiality breach.
The sources of breach based on this point of view are countless, here is a list of some you should primarily take into consideration:
- Physical access
- Database (un)encryption
- Sensitive Data (absence of) policies (e.g.: no two-factor authentication for sensitive data)
- (No) Employee Security Awareness Training: because it makes users more resistant to social engineering and data theft.
- (No) User Account Management Sanitation and Reporting (e.g.: Active Directory audits, strong password policies enforcement)
- (No) Mobile devices encryption and update
- (No) Workstations security and auto-updating
- (No) Network Intrusion Protection Systems
- (No) No web application protection solution or (no) configuration (with (no) emphasis on outgoing connections)
Integrity traduces the robustness/resilience of data to any attempt -unauthorized or entropic- to modify or suppress parts of data. Robust Integrity policies can also protect from non-malicious data-scraping or deletion: a forgetful employee overwriting a document can delete data with little to no malicious intent.
Sources of Integrity Breach can be numerous, here is also a list of the first things you should consider:
- Absence of file history and revertability on any database or file-sharing platform.
- Absence of authentication for uploading.
- No password policy on admin accounts for cloud-hosted websites.
- Outsourced hosting for cosmetics in a webpage (images, buttons, etc.)
- No information integrity control on databases (hashes, checksums…)
- Absence of encryption for internal communication.
The last one is particularly interesting: contrary to popular belief, encryption not only protects from data theft attempts but also protects from data corruption attempts: most modern cryptosystems include information integrity control, giving you a cheap an extremely reliable way to transfer information without fear of it getting corrupted.
Availability is the capacity to successfully get data when one has authorized access.
Surprisingly, availability-based attacks are the most profitable for cyber-pirates: the well-known DDoS attacks (Distributed Denial of Service) are extremely profitable. A lot of infected computers query a website to deny other legitimate users a chance to get to a website. While the cyber-pirates DDoS victims, they propose their services as an anti-DDoS company.
Availability is often overlooked but can paralyze a startup if it fails. Here are some basic elements that can make your data unavailable:
- Outsource your data in low-tier data centers, cheaper but riskier.
- Have no redundant data storage
- Have bad policies for modification of files in production.
- No Content Delivery Networks
- Bad scalability of frontend servers for heavy duty.
- Bad workstation and server maintenance.
Redundancy and scalability are the key principles of Availability. A lack of any of those could result in some services unavailable, and costly downtimes.
I will quickly discuss proof, as this is not exactly risk management, but can tremendously help you get back to work after a successful breach, as you will know exactly the « what, where, and when » of the attack.
The main component of proofing system is logging, and logging requires authentication. In order to make good proof systems, just remember to strongly authenticate your users (« I am sure this user is the one is think about ») and to reliably log (« I am sure said user did this ») any activity.
In any case
Anyone that has full authorized administrator access to a system can leak files content, irreversibly corrupt data, or make data unavailable. Be aware that any compromised account, whether it is a user or admin account, can lead to this situation. Weak authentication, bad physical access control, or unconfigured admin pages are way-too-common examples of obvious, costly security flaws.
/Two-factor authentication is a good way to mitigate these, and can have a lot of implementations: SMS and password, secure token generator and password, or fingerprint and passcode for physical access. The common part being: it must be based on something only your user has (phone, ID card, biological characteristics…), and on something only your user knows (password, passcode, secret answer).
Risk management is not a burden, it is a rational way to improve the security and efficiency of your startup, potentially giving you additional information that can be used for strategic purposes, as well a healthy mindset within your company. By knowing that your startup relies on the secrecy of authorized data (Confidentiality), the absence of any corruption regarding any data (Integrity), and the ease of access of it (Availability), you can quickly, in conjunction with a map of your assets, get what threatens your company. With the help of a security expert and the knowledge of the entire company members, you will be able to know what the probabilities are for every scenario based on the threat map and then assess what will you have to invest to make your infrastructure secure.
Read the OWASP Top 10 cheat sheet for startup CTOs to learn how to protect web applications against security vulnerabilities.
About the Author
François Menet is a former cyber-security consultant, now working for Polytechnique Montreal’s high-security Lab (SecSI Lab). He focuses on innovative ways to detect malicious network intrusion, and studies malware obfuscation, to identify nefarious behavior within a network at any step of a cyber-attack.